apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: psa
spec:
  validationFailureAction: Enforce
  background: true
  rules:
    - name: restricted
      match:
        any:
          - resources:
              kinds:
                - Pod
      validate:
        podSecurity:
          level: restricted
          version: v1.25